Here's my general rule of thumb: If it's a simple validation such as testing for existence, whether it's an integer, valid date format, etc., put it in the validate() method of the ActionForm. If it's something that could be described as a "business rule", it should be done in the action class, and the actual verification logic should go in a class that is part of the "model" layer of your MVC application.

For example, if a password input cannot be blank, that's a simple rule and can be done in the validate method. If a password has to have at least one upper-case character and one numeric character, but cannot start with a numeric character, that's a business rule, and should be done in the Action class with the rule itself coming from a model-layer class.

The point of making this distinction is to preserve the integrity of the MVC model.

I agree with Merrill's suggestion. To take his example a step further. Say you have to validate that the entered password does not match any of the user's previous 8 passwords. There is no way that you would want to implement this type of validation in the form.